Traversing File Systems

A zone's file system namespace is a subset of the namespace accessible
from the global zone. Unprivileged processes in the global zone are prevented
from traversing a non-global zone's file system hierarchy through the following
means:

Specifying that the zone root's parent directory is owned,
readable, writable, and executable by root only

Restricting access to directories exported by /proc

Note that attempting to access AutoFS nodes mounted for another zone
will fail. The global administrator must not have auto maps that descend into
other zones.